CMPUT 333, Assignment 2, Winter 2019
(non-sliding part - 70%)
University of Alberta / Department of Computing Science
Instructor: Ioanis Nikolaidis (nikolaidis@ualberta.ca)
(firewalls, network services)
Part 1 (10%)
Your first step to completing this assignment is to choose non-trivial root password for your virtual Linux firewall host and non-trivial Administrator passwords for your virtual Windows host. Use your experience from the previous assignment and the readings of this course to choose strong passwords.
Create one regular user account for each (Linux, Windows) system and associate it with a correspondingly difficult-to-guess password.
Your chosen passwords and the reasons you chose them are to be included in the deliverables of this assignment.
Part 2 (15%)
In this task you will configure services from your own group's virtual network and make them available to outsiders (other groups and the TAs) in a manner which is controlled by your firewall host. In this assignment you may need to configure the Linux iptables. The process of taking measures to avoid locking yourselves "out" of your hosts accidentally will be presented in the labs -- but it is always a possibility and for this reason you should take each step carefully.
First, you need to install and/or configure adequate software to provide http services and anonymous ftp services from both your virtual Linux host and from your virtual Windows host. In doing so, make sure you satisfy the following requirements:
- Each
ftpservice should allow only "anonymous" access. - Each
ftpserver should have at least one file of content available calledftpcontent.pdfat the top directory of the space accessed byanonymous. - Each
httpserver should allow content access only to the regular user account you introduced in Part 1 on the corresponding host. It should authenticate tohttpusing the exact same password as the user's login. - Each
httpserver should have at least a single web page accessible aswebcontent.htmlat the top level once the user is successfully authenticated.
Describe in your report how you performed the above steps. You can use screenshots when helpful. Describe the differences between Linux and Windows on how you achieved the ability to authenticate the user account to allow http content access.
- Answer how do you ensure that if the user account changes their password, this change is automatically (without any additional manual overhead) reflected also in the password expected from the user when accessing the
httpservice. What are similarities/differences in the two systems?
Part 3 (45%)
Your task is to introduce iptables forwarding rules to enforce the following policies, assuming you are group X (where X=1,2,3,4,5,6,7,8,9,10,11,12):
Inbound restrictions:
- Allow any host from the network
10.229.*.*to access thehttpandftpservice of your Windows host EXCEPT for connections coming from hosts belonging to group X+2 (or group 1 if X=11, or group 2 if X=12) AND connections coming from hosts10.229.100.52and10.229.52.* - Allow any host from the network
10.229.*.*to access thehttpandftpservice of your Linux host EXCEPT for connections coming from hosts belonging to group X-2 (or group 11 if X=1, or group 12 if X=2) AND connections comming from hosts10.229.100.51and10.229.51.* - Allow any host from any network to connect to the
sshservice port on any of your group's hosts as well as allowICMPecho messages (pings) from any host from any network. - All hosts of your own group's internal network (
10.229.X.0/24) should be allowed complete access to your group's hosts. - If none of the above rules apply, the default is to refuse all other inbound traffic (that is, unless the inbound traffic is caused by your own group's permitted outbound traffic).
- Add rules to log violations of the above rules.
Outbound restrictions:
- Prohibit your Windows host from accessing any services provided by the hosts belonging to group X-1 (12 if X=1) and all services provided by hosts
10.229.100.52and10.229.52.* - Add rules to log any violations of the above restriction.
Deliverables are the iptables rules you used for the implementation of the above policy. Provide comments that explain the rules you used and why you needed each rule.
Important: Your rules will be marked for their effectiveness, i.e., the least number of rules to achieve the exact desired effect. Rule correctness includes, for example, the ability to allow inbound traffic (as the reverse flow) for a connection that was allowed in the outbound direction, i.e., do not forget that TCP connections are bidirectional and also that some protocols like ftp can operate in either, so called, passive as well as in active mode.
You are expected to provide in your submission all the relevant credentials (e.g., password to your hosts) to the TAs in order for them to accurately test your firewall rules.
Even though we do not talk about UDP services, they should be treated in a manner compatible with the spirit of the above rules. In presenting the rules you decided to use for UDP explain why you thought they are compatible with the provided policy.
It is allowed that you coordinate among groups to have other groups attempt connections (or for you to attempt connections to other groups) so you can check whether your rules are correct. However it is PROHIBITED to share rule files with other groups or to give your passwords to other groups for the sake of logging into your machines.
Part 4 (30%)
Sliding component (due with Assignment 3) will be posted separately.
Deliverables
Only one of the group members need to submit on behalf of the entire group (in the event of more than one submission, the last one will be considered). Your report (in plaintext, markdown, or pdf format) should include answers to the questions posed in the specification. You should cite any resources that you used to produce your answers. Your report should be accompanied by all relevant files, e.g., dump of iptables rules. By default it is assumed that all group members equally contribute to the assignment. If you need to deviate from this model of cooperation, explain why and indicate who was responsible for what.
(The sliding part (and the sliding part only) will be submitted separately by the deadline (non-sliding) part of Assignment 3. It is not due on the deadline of Assignment 2.)
Friday, February 22 2019